import NetworkManager-libreswan-1.2.10-7.el8_10

SOURCES/0003-service-fix-wrong-refcounting-in-D-Bus-handler-for-C.patch

@@ -0,0 +1,68 @@
+From 4be4c56b4f8a52b1cd5f8aadee273706c28ae332 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Sat, 13 Jan 2024 18:10:02 +0100
+Subject: [PATCH 1/1] service: fix wrong refcounting in D-Bus handler for
+ Callback()
+
+The Callback() D-Bus method is handled via a GDBus-generated skeleton
+code in nm-libreswan-helper-service-dbus.c, function
+_nmdbus_libreswan_helper_skeleton_handle_method_call(). The function
+emits signal "handle-callback" to let the program handle the incoming
+method. As documented in the GDoc comments, the signal handler must
+return TRUE if it handles the call.
+
+```
+  /**
+   * NMDBusLibreswanHelper::handle-callback:
+   * @object: A #NMDBusLibreswanHelper.
+   * @invocation: A #GDBusMethodInvocation.
+   * @arg_environment: Argument passed by remote caller.
+
+   * Signal emitted when a remote caller is invoking the Callback()
+     D-Bus method.
+
+   * If a signal handler returns %TRUE, it means the signal handler
+     will handle the invocation (e.g. take a reference to @invocation
+     and eventually call nmdbus_libreswan_helper_complete_callback()
+     or e.g. g_dbus_method_invocation_return_error() on it) and no
+     other signal handlers will run. If no signal handler handles the
+     invocation, the %G_DBUS_ERROR_UNKNOWN_METHOD error is returned.
+
+   * Returns: %G_DBUS_METHOD_INVOCATION_HANDLED or %TRUE if the
+     invocation was handled, %G_DBUS_METHOD_INVOCATION_UNHANDLED or
+     %FALSE to let other signal handlers run.
+   */
+```
+
+At the moment, in case of error the handler first calls
+nmdbus_libreswan_helper_complete_callback() which decreases the
+refcount of "invocation", and then returns FALSE which tells the
+skeleton code to return an error, also unreferencing the
+invocation. This causes a crash.
+
+Since the G_DBUS_METHOD_INVOCATION_HANDLED alias for TRUE is only
+available since GLib 2.68 (while we target 2.36), just return TRUE.
+
+Fixes: acb9eb9de50b ('service: process the configuration in the service, not the helper')
+(cherry picked from commit 8ceb901719acac3778e1d76779d9c14289185157)
+---
+ src/nm-libreswan-service.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
+index fc470a6..4850729 100644
+--- a/src/nm-libreswan-service.c
++++ b/src/nm-libreswan-service.c
+@@ -1379,7 +1379,8 @@ out:
+ 	}
+ 
+ 	nmdbus_libreswan_helper_complete_callback (object, invocation);
+-	return success;
++
++	return TRUE;
+ }
+ 
+ /****************************************************************/
+-- 
+2.43.0
+

SPECS/NetworkManager-libreswan.spec

@@ -11,13 +11,15 @@
 Summary:   NetworkManager VPN plug-in for IPsec VPN
 Name:      NetworkManager-libreswan
 Version:   1.2.10
-Release:   4%{?dist}
+Release:   7%{?dist}
 License:   GPLv2+
 URL:       http://www.gnome.org/projects/NetworkManager/
 Group:     System Environment/Base
 Source0:   https://download.gnome.org/sources/NetworkManager-libreswan/1.2/%{name}-%{version}.tar.xz
 Patch0:    0001-po-import-translations-from-Red-Hat-translators.patch
 Patch1:    0002-properties-set-advanced-dialog-modal.patch
+Patch2:    0003-service-fix-wrong-refcounting-in-D-Bus-handler-for-C.patch
+Patch3:    0004-ipsec-conf-escaping-cve-2024-9050.patch
 
 BuildRequires: gtk3-devel
 BuildRequires: libnl3-devel
@@ -109,6 +111,15 @@ update-desktop-database &> /dev/null || :
 %endif
 
 %changelog
+* Thu Oct 03 2024 Lubomir Rintel <lkundrak@v3.sk> - 1.2.10-7
+- Unbreak validation of unknown keys
+
+* Wed Sep 25 2024 Lubomir Rintel <lkundrak@v3.sk> - 1.2.10-6
+- Fix improper escaping of Libreswan configuration (CVE-2024-9050)
+
+* Mon Feb  5 2024 Wen Liang <wenliang@redhat.com> - 1.2.10-5
+- Fix crash in libreswan_add_profile_wrong_password (RHEL-13123)
+
 * Tue Jul 25 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 1.2.10-4
 - Rebuilt for MSVSphere 8.8